Upload
swift
View
433
Download
3
Embed Size (px)
Citation preview
SWIFT Compliance Forum,Hong Kong
29 April 2016
Andrew Burlison, Head Of Compliance Solutions APAC, SWIFT
Alicia Wong, Compliance Services Consultant, Asia Pacific, SWIFT
2
Agenda
KYC Registry updates
SWIFT Compliance portfolio updates
Sanction Testing – How to reduce false hit rate, identify false negative & adjust threshold to the optimised level?
FATF 16 – Payment Data Quality
RMA Analysis – How to manage RMA relationship, and identify high risk RMA?
Compliance Analytics – How to identify nested activities, and continuous monitoring of SWIFT message
KYC Registry Update:• Updated number of KYC Registry contributors until end of
March 2016:Global: over 2,400 banksAsia Pacific: over 640 banksGreater China Region: over 240 banksHong Kong: over 70 banks
3
SWIFT Compliance PortfolioSWIFT Compliance Services: Function:
1) KYC Registry Correspondent Bank Platform
2) RMA Analysis RMA analysis & clean-up
3) Sanction Screening Message Screening
4) Sanctions Testing Screening system testing
5) Compliance Analytics Swift message continuous monitoring
UP-COMING SERVICES:6) List Management Service Sanction list database
7) FATF16 Data Quality FATF16 wire transfer requirement
8) Name Screening Service Customer screening system
4
SANCTIONS TESTING
Sanctions Testing puts you in control
How effective is my filter?
How does my filter mitigate
my risks?
How can I manage match rates?
In the unlikely event of a sanction violation
• Sanctions filters mitigate business risk of low frequency but high impact events
• Irrespective of the likelihood of a sanctions violation, businesses have an obligation to ensure that sanctions controls work
• Sanctions testing ensures that your filter will operate in alignment with your risk policy
• Many sanctions filters are rarely tested
Sanctions Testing
Effectiveness
Efficiency
• Effectiveness: Meets regulatory demands and manages reputational risk
• Efficiency: Manages screening costs and resources
• Coverage: Improves filter coverage and ensures alignment to compliance policy and risk appetite
Common issues identified through testing:
• Outdated lists• Missing entry types• Missing entries• Language variants
not screened correctly• Deleted records still
screened
Sanctions ListsQuality
• List scope incorrect or not aligned with bank policy
• Inconsistent implementation across filters
• Entity and alias types screened unnecessarily
ScreeningPolicy
• Inconsistent screening performance across message types
• Message or file elements not screened properly
• Overreliance on specific fields (e.g. address or country)
Message Types
• Poor fuzzy matching performance
• Line break, word order, sequences
• Poor performance against particular entries (short or long names, aliases)
• Character set matching issues
FilterWeakness
Sanctions Testing – 2015 – Confidentiality: Public
Test For Exact Matches Coverage of EU ListImpact of Filter Threshold
Sanctions Testing – 2015 – Confidentiality: Public
Graphical view of filter fuzzy performance across all derivations
applied
Sanctions Testing – 2015 – Confidentiality: Public
Test For Exact Matches Coverage of EU ListImpact of Filter Threshold
Cases missed due to the "ampersand"
Cases missed due to length of Name
Formats
Settings
Lists
Automate • Repeat • Compare • Monitor
Sanctions Testing processDefinetest objective
Downloadtest files
Processtest files
Uploadhit results
Viewtest results
Sanctions Testing – 2015 – Confidentiality: Public
Third Party Assessment Report
Standard Services• Standard report and assessment
approach• Workshop & findings• Considers performance of your own
filters
Effectiveness• Provides assurance that you filter is
working• Captures Risk appetite• Understand fuzzy performance
Efficiency• Identifies opportunities for
efficiencies / cost reduction• Quick win efficiency improvements
Sanctions Testing – 2015 – Confidentiality: Public
Peer Assessment Reports
Sanctions Testing – 2015 – Confidentiality: Public
Exact MatchHow does
my filter compare?
Peer Upper Range
Peer Lower Range
Fuzzy Performance
Institution
Comprehensive•Standard report and assessment approach
•Multiple peer performance dimensions
Helps you understand•Relative performance•Policy and technical implementation•Risk appetite
SWIFT community•Developed by and created for the SWIFT community
•Industry best practice•Contribution basis
Am I in the safe-zone?
Understanding the evolving regulations around Payment Data Quality
Andrew Burlison, Head Of Compliance Solutions APAC, S.W.I.F.T
• What is are the new FATF 16 recommendation and EU Funds transfer regulation?
• What do they mean for you as a global institution?
• How might they affect your business moving forward?
• What steps can you take today to prepare for these changes, ensure compliance and mitigate compliance-related cost and risk?
FATF 16 recommendation16. Wire transfers *Countries should ensure that financial institutions include required and accurate originatorinformation, and required beneficiary information, on wire transfers and related messages,and that the information remains with the wire transfer or related message throughout thepayment chain.Countries should ensure that financial institutions monitor wire transfers for the purpose ofdetecting those which lack required originator and/or beneficiary information, and takeappropriate measures.Countries should ensure that, in the context of processing wire transfers, financial institutionstake freezing action and should prohibit conducting transactions with designated persons andentities, as per the obligations set out in the relevant United Nations Security Councilresolutions, such as resolution 1267 (1999) and its successor resolutions, and resolution1373(2001), relating to the prevention and suppression of terrorism and terrorist financing.
FATF 16 – In Detail Ordering financial institution11. The ordering financial institution should ensure that qualifying wire transfers contain required and accurate originator information, and required beneficiary information.12. The ordering financial institution should ensure that cross-border wire transfers below any applicable threshold contain the name of the originator and the name of the beneficiary and an account number for each, or a unique transaction reference number.13. The ordering financial institution should maintain all originator and beneficiary informationcollected, in accordance with Recommendation 11.14. The ordering financial institution should not be allowed to execute the wire transfer if it doesnot comply with the requirements specified above.
Intermediary financial institution15. For cross-border wire transfers, financial institutions processing an intermediary element of such chains of wire transfers should ensure that all originator and beneficiary information that accompanies a wire transfer is retained with it16. Where technical limitations prevent the required originator or beneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, a record should be kept, for at least five years, by the receiving intermediary financial institution of all the information received from the ordering financial institution or another intermediary financial institution.17. An intermediary financial institution should take reasonable measures to identify crossborder wire transfers that lack required originator information or required beneficiary information. Such measures should be consistent with straight-through processing.18. An intermediary financial institution should have effective risk-based policies and procedures for determining: (i) when to execute, reject, or suspend a wire transfer lacking required originator or required beneficiary information; and (ii) the appropriate follow-up action.
Beneficiary financial institution19. A beneficiary financial institution should take reasonable measures to identify cross-border wire transfers that lack required originator or required beneficiary information. Such measures may include post-event monitoring or real-time monitoring where feasible.
MAS Notice 626 (Last revised on 30 November 2015 )
PREVENTION OF MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM - BANKS Cross-border Wire Transfers Exceeding S$1,500 11.5 In a cross-border wire transfer where the amount to be transferred exceeds S$1,500, every bank which is an ordering institution shall include in the message or payment instruction that accompanies or relates to the wire transfer the information required by paragraph 11.4(a) to 11.4(d) and any of the following:
(a) the wire transfer originator’s
(i) residential address; or (ii) registered or business address, and if different, principal place of business, as may be appropriate;
(b) the wire transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the wire transfer originator is not a natural person, the incorporation number or business registration number); or (c) the date and place of birth, incorporation or registration of the wire transfer originator (as may be appropriate).
As well as the name of the wire transfer beneficiary; and the wire transfer beneficiary’s account number
EU Funds transfer regulation· The Funds Transfer Regulation (Reg 2015/847) will repeal the existing wire transfer regulation (Reg 1781/2006) and
extend its scope. The fourth EU AML Directive takes effect from June 2017· New requirements for effective procedures at intermediary banks to detect and handle missing/incomplete payer/payee
information.20
15 R
egul
atio
n20
17 im
plem
enta
tionBank of Sender Intermediary Bank Bank of Receiver
2015
Reg
ulat
ion
2017
impl
emen
tatio
n
Provide sender’s name, address and account number in payment
· Transmit sender data to the next bank in the payment chain
· Review payments for presence of complete sender data
· Request missing sender data
· Escalate banks repeatedly sending messages without complete sender data
2006
R
egul
atio
n20
15 R
egul
atio
n20
17 im
plem
enta
tion
· Establish ex-post or real time procedures to detect lacking complete sender/receiver information
· Establish risk based procedures to execute, reject or suspend a funds transfer lacking the required information
· Request missing payer or receiver data· Escalate banks repeatedly sending payments
lacking required data
· Transmit all payment data to the next bank
· Establish ex-post or real time procedures to detect lacking complete sender/receiver information
· Request missing sender data
· Escalate banks repeatedly sending messages without complete payer data
· Establish risk based procedures to execute, reject or suspend a funds transfer lacking the required information
· Provide receiver’s name and account number in payment
· Provide sender’s name, address and account number in payment
Banks Located Outside the EU· Funds transfers paid into or through the EU require full payer and payee details· Transactions with missing or incomplete details may be rejected or delayed· Banks need to be prepared to handle increased investigation volumes when regulation comes into force in June 2017
Case Studies
21
Penalty and Remediation (20 listed points):“XXXNY Can no longer open a U.S. dollar demand deposit account without prior approval from the DFSRegarding “affiliate U.S. dollar clearing transactions” defined as(a) a payment originated from the account of a customer held at a non-U.S. XXX branch or majority-
owned subsidiary, and(b) in an amount of $3,000.00 or more, the following will apply:
• Originator Identity Information: XXX affiliates provide the identity (name and address, including country) of the originator with respect to all such transactions.
• Beneficiary Identity Information: XXX affiliates provide any beneficiary identification information received with the transaction instruction with respect to all such transactions”
5th of February 2015, Societe Générale sent a “Broadcast” message advising that as of the 1 st of April any credit transfers which have a link with the united states (transfers in USD and transfers in any other currency to be processed by a bank in the U.S. shall contain the ordering and beneficiary customers' full data:- account number of both the ordering and the beneficiary customers,- full name of both the ordering and the beneficiary customers,- complete address of both the ordering and the beneficiary customers.
Also stated in this Broadcast is that “any credit transfers listed above which will not contain the full data required will be cancelled. the cancellation will be notified as soon as possible by swift message.”
What does it mean for you as a global institution?
• Understand presence and quality of originator and beneficiary information in your SWIFT and other payment messages
• Verify whether this data meets regulatory requirements in line with FATF Recommendation 16
• Use reporting and notifications to assess and improve your own data quality and take appropriate measures with counterparties to ensure compliance
S.W.I.F.T Scope of messages being monitored• MT103, MT202COV, MT205COV • Inbound and outbound flows • All entities belonging to your financial group
Other payment types to consider • Fedwire• Chips• Any other cross border payment
FATF Requirements
50: Originator information Originator name present Account number of originator Address OR; National identity number OR; Customer identification number OR; Date and place of birth
59: Beneficiary information Beneficiary name present Account number of beneficiary
Scenario: Swift MT103 international payment
Sender’s BIC:MT:Receiver’s BIC:
Sender’s reference Bank Operation CodeValue date/currency/Interbank Settled amount Currency/instructed Amount Exchange rateOrdering Customer
Ordering InstitutionBeneficiary InstitutionBeneficiary Customer
Remittance Information Details of charges Sender’s charges
BANKUS33103BROMUS33
:20:CCT6781630:23B:CRED:32A:141215USD57276,12
:33B:EUR62500,:36:0,9165 :50A:/987456321AMERCHZ1
:52A:UBSWCHCZ:57A:BROMITRD:59:/IT66578675674585687 GIOVANNI EXPORT PIAZZA VENEZIA 44IT-00187 ROMA:70:/INV/QSD675:71A:SHA:71F:USD5,
Example Message
Party identifier
• Empty value • Presence account
number• Account number
length (parameter)• IBAN• Valid IBAN• Cheque
Name
• Empty value• Name length
(parameter)• Number of
consecutive repetitive characters (parameter)
• Presence of CCC• Characters present in
dummy list• Cheque
Address and additional info
• Address length (parameter)
• Number of consecutive numerical / alphabetical repetitive characters (parameter)
• Characters present in dummy list
• 50F presence of alternative address info
Country
• No country in all lines• Country line filled out
(truncation)• Characters present in
dummy list• Country present in
acceptable synonym list
Other
• Use of field option (structured or free format)
• Country of domicile of originator / beneficiary matches country of originator / beneficiary bank
Automated Monitoring, how do you check for Data Quality?
Various Elements that you may want to check using an automated solution
What are the additional benefits of improving payment data quality with an automated tool?
• Improved STP
• Improved outcomes on your sanctions screening
• Reducing false positives
• Quicker remediation
• Therefore reducing cost
• AML Transaction Monitoring
• Enhanced controls and understanding of payment transactions
• Monitor centrally to drive consistency at reaching a global standard throughout your institution
SummaryThe time is now to understand what risk the new regulations mean for your Financial Institution
First step is to understand how many of the payments whether you be the Sender, Intermediary, or Receiver of the payment meet or fall short of the new requirements.
Take steps to put in place an automated monitoring tool to detect and identify which of your counterparties are serial offenders
Start planning on systems and processes that will reject payments that do not meet the new regulation guidelines.
Use this compelling event to bring a business benefit to your institution by enhancing your payment practices.
Q&A
RMA Analysis and Clean-up as an Enabler of Compliance
Alicia Wong, CPASWIFT | Compliance Services Consultant+85 2 2107 [email protected]
Manage your RMA relationships & identify high risk RMAs
RMA analysis and review 29
What is RMA? Why is it relevant to you?
RMA (Relationship Management Application) is a SWIFT mechanism to control the traffic you want to accept from your correspondents and vice-versa.
De-risking? RMA is first line of defense!
RMA Best Practice̶V RMA Standard Operating Procedures̶V RMA Analysis̶V RMA Clean-up services
30
The Benefits of adopting RMA Best Practice:
Better understand Correspondent Banking RelationshipsFind out dormant/unused RMAs to reduce compliance cost & risks Avoid Unwanted / Unexpected Traffic
31
What do you need to know about your Correspondent Banks?
How many RMAs do I have?
When was the RMAs created?
Are they located in high risk countries?
Who are their parent banks?
How often do I do business with them?
What are the messages types exchanged?
What is the volume of messages exchanged?
What is the value of the messages exchanged?
Risk assessment High Risk RMAs
32
The Benefits of adopting RMA Best Practice:
Better understand Correspondent Banking RelationshipsFind out dormant/unused RMAs to reduce compliance cost & riskAvoid Unwanted / Unexpected Traffic
33
Est. >45%DORMANT & UNUSED RMA relations
34
Find out Dormant/Unused RMAs to reduce cost of compliance
Costs of Compliance
HKMA No. 3.3 Guideline on Anti-Money Laundering and Counter-Terrorist Financing (Revised in March 2015) –
35
The Benefits of adopting RMA Best Practice:
Better understand Correspondent Banking RelationshipsFind out dormant/unused RMAs to reduce compliance cost & risks Avoid Unwanted / Unexpected SWIFT Messages
36
RMA Best Practice
2nd RMA Analysis
3rd RMA Clean-up
1st Standard Operating Procedures
37
Step 1: Setup Standard Operating Procedures
How to create new correspondent banking relations?
High risk counter-party?
A case assigned to RMA Manager
No
Yes
Senior Management
Approval
Due Diligence
Business justification
Senior Management
Approval
Due Diligence
SWIFT Compliance Consulting Services
RMA Authorisations Tasks• Create • Close • On-going monitoring
Responsibility Assignment Matrix• Who is responsible?• Who is accountable?• Who is consulted?• Who is informed?
Controls
RMA analysis and review 38
Step 2: Conduct RMA Analysis
Link with FIN authenticated
transactions to define the RMA status
• Three possible statuses:• Active• Dormant• Unused
Remove list of identified RMA’s
automatically from your interface
• Process and assistance to facilitate the bulk removal of selected unused RMA relationships
Data Collection
RMA Analysis
RMA Clean-up
Overview of existing RMA’s inbound and
outbound
• Institution provides the list of RMA in XML
• Workshop implementation best practices
Key Findings Review
Key findings
• List “hot items” among RMA correspondence (overview of usage with details at BIC level)
BusinessEvaluation
Optional1 2
RMA analysis and review 39
Identify the status of RMA relations
Objective: identify latest month during which traffic was exchanged with counterparty and derive status of the RMA using only authenticated traffic.
Traffic exchanged since creation
No
Yes
Not in recent 12 months
In recent 12 months
Unused
Dormant
Active
Hot items
RMA analysis and review 40
Step 2: Conduct RMA Analysis
Link with FIN authenticated
transactions to define the RMA status
• Three possible statuses:• Active• Dormant• Unused
Remove list of identified RMA’s
automatically from your interface
• Process and assistance to facilitate the bulk removal of selected unused RMA relationships
Data Collection
RMA Analysis
RMA Clean-up
Overview of existing RMA’s inbound and
outbound
• Institution provides the list of RMA in XML
• Workshop implementation best practices
Key Findings Review
Key findings
• List “hot items” among RMA correspondence + Business Intelligence
BusinessEvaluation
Optional1 2 3
RMA analysis and review 41
Step 2: RMA Analysis Sample Report
2. Located in high risk countries?
3. Who are the parent banks?
4. How often do I do business? 5. What types
of business relationships?
1. How many RMAs I have?
Additional business intelligence: granularity of messages types, volume and value of messages exchanged
RMA analysis and review 42
Step 3: RMA Clean-up Services
Link with FIN authenticated
transactions to define the RMA status
• Three possible statuses:• Active• Dormant• Unused
Remove list of identified RMA’s
automatically from your interface
• Process and assistance to facilitate the bulk removal of selected unused RMA relationships
Data Collection
RMA Analysis
RMA Clean-up
Overview of existing RMA’s inbound and
outbound
• Institution provides the list of RMA in XML
• Workshop implementation best practices
Key Findings Review
Key findings
• List “hot items” among RMA correspondence (overview of usage with details at BIC level)
BusinessEvaluation
Optional1 2 3 4
• Analyse RMA answer messages
• Adapt list of RMA authorisations to be removed if necessary
43
Step 3: RMA Clean-up Services
Kick-off meeting
List of authorisation
Analysis of Answers
Query generation
1 2 3 4
RMA clean-up
• Decide list of authorisations “to be deleted”
• Identify scope
• Clarify responsibilities
• Create an RMA Query message for each “unwanted” RMA authorisations to check importance of relations
• Remove “unwanted” RMA authorisations
5
Q&A
Compliance Analytics
Sharpen oversight of financial crime related risk
46
Identify hidden relationships in payment flows – Receiving Banks
Originating Institution – Country
Counterparty = Sender - Country
Your Bank = Receiver
Beneficiary institution - Country
Direct Relationships
Indirect Relationships
HKBANKHKHH
AUBANKAUXX
MMBANKMM01
MMBANKMMYY
47
Identify hidden relationships in payment flows – Sending Banks
Originating Institution - Country
Your bank = Sender
Counterparty = Receiver - Country
Beneficiary institution - Country
Direct Relationships
Indirect Relationships
HKBANKHKHH
AUBANKAUXX
MMBANKMM01
MMBANKMMYY
48
What is Compliance Analytics?
Risk Monitoring Tool
Collaborate major FIs
Cloud based solution
Traffic on SWIFT
network
Identify hidden relation-ships
Events triggered Alerts
SWIFT Consulting & Support
Detecting unusual patterns, policies breach
49
How Compliance Analytics can help banks to manage their Financial Crime Risks?
1. Global view – Am I the last man standing in a corridor?
• Your bank’s message data (value & volume) in different countries (inbound & outbound)• SWIFT total traffic data of a particular corridor (inbound & outbound)• Business evaluation • Risk assessment
Messages from Myanmar by volume and value Activity share (Corridor: messages from Myanmar to HK)
Your bank’s total
SWIFT’s total
Activity share trend?1. Peers withdrawal?2. Aggressive
expansion?
Activity share: 45%
• Understand the business operations in different countries• Detecting irregular trends, outliers, policies breach• Any high risk countries involved?
1. Global view – Business Overview by Countries
1. High value from a particular country?
2. Any irregular trends? 3. Any high risk
countries involved?
No. of MT103 Monthly Evolution received from Myanmar
There is substantial increase in Dec & Jan, further investigation!
1. Global view – Business Overview by Branches
• Better control over transaction activity by branches• Any high risk countries involved?• Collateral for monitoring, no need to gather information from branches separately and consolidate
1. Transaction activity by country
2. Collateral for monitoring
3. For branches to report to HQ/regulators
53
How Compliance Analytics can help banks to manage their Financial Crime Risks?
2. Country Risk Assessment – Who are my Major Counterparties?
• Who are my major counterparties in Myanmar by value or by volume?• Identify irregular trends
1. Low volume but high value
Counterparties Rank by Value
2. Breakdown for checking for irregular trends
2. Country risk assessment – identify high risk corridor
• Identify the originating & beneficiary countries to find out hidden relationship • Obtain good insights on nested relationships which banks are difficult to identify• Identify irregular flows and compliance beaches
USA BANKHKHH
USA 20%Myanmar 18%Russia 15%Sudan 5%Others…
HK 50%USA 20%Myanmar 13%Sudan 5%Others…
Direct Relationships
Indirect Relationships
Originating country (Field 52)
Sender = CounterpartyCountry
Your bank Beneficiary country (Field 57)
56
How Compliance Analytics can help banks to manage their Financial Crime Risks?
3. Counterparty Risk Assessment – identify high risk transactions
High % of non-structured option?Option D: free format CORRUS33
Your bank =BANKHKHK
High % of non-structured option?Option D: free format
• Identify which counterparty is exposing you to high risk business by looking into the originating and beneficiary countries
• Is there any banks sending you messages indirectly through your counterparties?
Originating institution (Field 52)
Sender = Counterparty
Your bank Beneficiary institution(Field 57)
Direct Relationships
Indirect Relationships
3. Counterparty Risk Assessment
• In-depth investigation on high risk transactions• Leverage the transaction reference for payment details
BANKHKHH Russia Empty FieldBANKUS33Myanmar BANKMM33 n/a Myanmar DEMOMM2L
Drill down to transaction details
Originating country (Field 52)
Sender = Counterparty
Your bank Beneficiary country (Field 57)
BANKMM33 BANKUS33USA
Your bank BANKHKHK
DEMOMM2L
59
What other values can it bring?
RMA Analysis by branches & by countries
Events driven alerts
Fine tune transaction monitoring tool
RMA Analysis by branches & by countries
• Better manage correspondent risks• Identify unused & dormant RMAs by branches and by countries
超過一半的 RMA 都是閒置跟從未啟動的Over half of the RMAs are dormant & unused
Identify unused & dormant RMAs by branches
RMA Analysis by branchesStatus of Inbound RMAs Status of Outbound RMAs
61
What other values can it bring?
RMA Analysis by branches & by countries
Events driven alerts
Fine tune transaction monitoring tool
Fine Tune Transaction Monitoring Tool
• Analyse traffic data for adjusting transaction monitoring threshold• Improve effectiveness for transaction monitoring purpose
>80% les than USD10k good indicator for setting threshold
% message received by value buckets by Counterparty Country
63
What other values can it bring?
RMA Analysis by branches & by countries
Events driven alerts
Fine tune transaction monitoring tool
Events Driven Alerts• Any interactions with countries with sanctions?• Any new RMAs created with counterparties located in countries with sanctions?• RMAs suddenly active• Fast growing counterparties• Market share exceeds a certain %
Any transactions with countries with sanctions last month?
1. New RMAs with countries with sanctions2. RMA suddenly active
Fast growing counterparties
Customer defined alerts
Q&A